Log Types: Tru64Audit
- Leigh Purdie (Unlicensed)
Overview
Tru64 UNIX is a discontinued 64-bit UNIX operating system for the Alpha instruction set architecture, currently owned by Hewlett-Packard.
Collection
The open source “Snare for Tru64” agent was capable of collecting Tru64 log data, when the operating was still supported. Please contact the team at InterSect Alliance for assistance if you still have a requirement to monitor legacy Tru64 systems.
Sample Events
Tru64Host Tru64Audit 0 051202094634 root 200:0:0 824 822 0x3ffc0004000 mmap ( -1 0x7 0x3ffc0004000 0x12 0x2000 )Tru64Host Tru64Audit 0 051202094634 root -1:0:0 730 1 0x0 bind socket=INADDR_ANY:2301 sockproto=AF_INET,SOCK_STREAM,IPPROTO_TCP host (err 48)Tru64Host Tru64Audit 0 921202094634 root 5497:0:0 1873 823 0x0 auth_event ( Local Protected Password Database modified by dxaccounts User Entry testusr3: MODIFICATION. Old value for u_pwd: * New value for u_pwd: D1EjuXDrY9qNmo )Tru64Host Tru64Audit 0 051202094634 root 200:0:0 825 822 0x0 execve ( /sbin/grep grep -v grep )
Fields
Field | Description |
|---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | Tru64Audit |
EVENTID | Event ID, such as bind, execve, or auth_event |
USERID | UserID that generated this event |
AUID | Audit User ID - generally set at login, and will not change throughout the session. |
RUID | Real UID |
EUID | Effective UID |
PID | Process ID |
PPID | Parent process ID |
RETURNCODE | Return code |
STRINGS | Any other values that do not fit into one of the existing fields |
TARGET | For events that act on a particular resource, the resource may be duplicated from the strings section, into this field (eg: File access) |
Notes